Check if Kuberwarden has a equivalent policy to Neuvector policy to control user used in the containers.

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease

https://kubewarden.io

Apache License 2.0

191 stars 33 forks source link

Check if Kuberwarden has a equivalent policy to Neuvector policy to control user used in the containers. #308

Closed jvanz closed 2 years ago

jvanz commented 2 years ago

Compare the admission controller from Neuvector checking how its policy to control container user works. The goal if to figure out if Kubewarden policy is equivalent against it.

jvanz commented 2 years ago

As far as I can see we can replace the NeuVector rule with our policy user-group-psp-policy. It also checks the user in containers. By the way, our policy check more things. As we can see in the neuvector/controller/rest/admwebhook.go file Neuvector get the user from the container or pod spec (container has precedence). But it does not check init containers. Our policy does.

jvanz commented 2 years ago

Ah! One thing that our policy does not do is to check the PodSec security context. Our policy only checks the containers security context. Therefore, I think we should change the user-group-policy to check the podspec security context as well. @kubewarden/kubewarden-developers

jvanz commented 2 years ago

https://github.com/kubewarden/user-group-psp-policy/issues/36

flavio commented 2 years ago

Let's close this issue and track that via https://github.com/kubewarden/user-group-psp-policy/issues/36